Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make a website secured with https

I have to build a small webapp for a company to maintain their business data... Only those within the company will be using it, but we are planning to host it in public domain, so that the employees can connect to app from various locations. (Till now I have built web apps that are hosted internally only)

I'm wondering whether I need to use a secured connection (https) or just the forms authentication is enough.

If you say https, I have some questions :

  1. What should I do to prepare my website for https. (Do I need to alter the code / Config)
  2. Is SSL and https one and the same...
  3. Do I need to apply with someone to get some license or something.
  4. Do I need to make all my pages secured or only the login page...

I was searching Internet for answer, but I was not able to get all these points... Any whitepaper or other references would also be helpful...

Feel free to ask incase you need more information.

Thanks

  • Raja
like image 590
The King Avatar asked Feb 05 '10 06:02

The King


People also ask

How can I secure my website with HTTPS for free?

To secure your website with HTTPS, you will need to install an SSL certificate and redirect HTTP to HTTPS using a . htaccess file. At one.com, we make this easy for you by setting up your HTTPS connection automatically. Our all-in-one hosting plans include a free wildcard SSL certificate, which we will install for you.

Is a website with HTTPS always secure?

A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data is encrypted as it passes from your browser to the website's server.

How do I enable HTTPS?

Switch to the 'Privacy and security' tab from the left sidebar and click on 'Security' on the right panel. 3. Then, scroll down until you find Advanced settings and enable the 'Always use secure connections' toggle. This way, Chrome will try redirecting all websites you visit to HTTPS.


2 Answers

What should I do to prepare my website for https. (Do I need to alter the code / Config)

You should keep best practices for secure coding in mind (here is a good intro: http://www.owasp.org/index.php/Secure_Coding_Principles ), otherwise all you need is a correctly set up SSL certificate.

Is SSL and https one and the same..

Pretty much, yes.

Do I need to apply with someone to get some license or something.

You can buy an SSL certificate from a certificate authority or use a self-signed certificate. The ones you can purchase vary wildly in price - from $10 to hundreds of dollars a year. You would need one of those if you set up an online shop, for example. Self-signed certificates are a viable option for an internal application. You can also use one of those for development. Here's a good tutorial on how to set up a self-signed certificate for IIS: Enabling SSL on IIS 7.0 Using Self-Signed Certificates

Do I need to make all my pages secured or only the login page..

Use HTTPS for everything, not just the initial user login. It's not going to be too much of an overhead and it will mean the data that the users send/receive from your remotely hosted application cannot be read by outside parties if it is intercepted. Even Gmail now turns on HTTPS by default.

like image 63
Rowlf Avatar answered Sep 21 '22 17:09

Rowlf


What kind of business data? Trade secrets or just stuff that they don't want people to see but if it got out, it wouldn't be a big deal? If we are talking trade secrets, financial information, customer information and stuff that's generally confidential. Then don't even go down that route.

I'm wondering whether I need to use a secured connection (https) or just the forms authentication is enough.

Use a secure connection all the way.

Do I need to alter the code / Config

Yes. Well may be not. You may want to have an expert do this for you.

Is SSL and https one and the same...

Mostly yes. People usually refer to those things as the same thing.

Do I need to apply with someone to get some license or something.

You probably want to have your certificate signed by a certificate authority. It will cost you or your client a bit of money.

Do I need to make all my pages secured or only the login page...

Use https throughout. Performance is usually not an issue if the site is meant for internal users.

I was searching Internet for answer, but I was not able to get all these points... Any whitepaper or other references would also be helpful...

Start here for some pointers: http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Note that SSL is a minuscule piece of making your web site secure once it is accessible from the internet. It does not prevent most sort of hacking.

like image 45
huynhjl Avatar answered Sep 20 '22 17:09

huynhjl